Curious + Community

Get data and data pipelines flowing – from any source to any destination. We’ll show you how, your peers will tell you how, and together we’ll build a better data experience for you and your organization.

Topic Categories

Announcements
The place to get the latest news on Cribl products and community.
AppScope
AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Cloud
Get up and running fast on the Cribl.Cloud platform, without the hassle of running infrastructure.
Edge
Collect, process, and deliver near-real-time observability data from edge and endpoint sources.
Search
Search your data in place, at the source or in the data lake.
Stream
Route and transform logs and metrics, on your own infrastructure or Cribl.Cloud.
Packs
Pack up and share complex configurations and workflows across multiple groups or organizations.
University
Access free Cribl training, any time and at your own pace.
General Discussions
Discuss general Cribl topics with your peers.
Job Board
Do you have an open position at your company? Here is your place to do it. Once you post, we will review it and if we find that it meets the community standards, we will approve it.

Recent Discussions

log and sourcetype reporting in splunk
I want to report on logs ingested with Cribl in the Splunk environment. The logs will remain stored on the Cribl side, but the reporting will be done in Splunk. How can I achieve this? The logs are NOT forwarded to Splunk. thank you in advance for your answers
Where is the equivalent setting to Splunk's Source type > Select Source Type > Structured > _json
Hi, I'm trying to setup a Splunk HEC within Cribl Stream, and I'm encountering the error "malformed HEC event." I've encountered that error when setting up HECs in Splunk, and to correct the problem I have to go to Source type > Select Source Type > Structured > _json when editing the HEC's settings. I've been looking and…
AWS SQS input not receiving/sending all region messages to Splunk
I recently set up our SQS amazon queue in cribl. Events are forwarding to splunk, however when compared to the pre existing aws logs in Splunk from the Heavyforwarder TA, I noticed we are only pulling in events from only one region via cribl oppose to the 20 actually sending events and being received through the Splunk TA.…
What does an "Unsupported op-code 249" mean?
Why do we see this message when using Cribl v4.4.0 with S2S V4 and Splunk forwarder version 9.1.x: { "time": "2023-12-19T15:16:15.549Z", "cid": "w0", "channel": "input:in_splunk_tcp", "level": "error", "message": "closed connection", "src": "10.10.10.10:62453", "error": { "message": "Unsupported op-code 249.", "stack":…
Ldap queries for Active Directory Info
Can cribl stream carry out ldap queries to Microsoft AD and then save the AD information in a lookup table or something similar? I want to automate fetching AD information from AD servers and then feeding it to a SIEM like Splunk or Elastic.
Adding Splunk Metadata to events
I have an Event with no Splunk Metadata value within the events and i am trying to add new fields such as host, index,source and sourcetype . custom fields and i tried using an eval but no luck, how do i go about this ?
Is it possible to disable certificate validation when connecting a Splunk Search Collector?
Hello, we are triying to setup a Splunk Search collector, against an on-prem splunk with a self signed certificate. Is it possible to disable certificate validation?
Is there a cribl equivalent to Splunk’s rex mode=sed?
Hi all, Is there a cribl equivalent to Splunk’s rex mode=sed? I’ve tried replace_regex but I kept hitting a brick wall. I’m trying to take a timestamp with an indeterminate number of spaces and replace those spaces with a single space in a pipeline (using ‘eval’ function) Data looks like this: timestamp: “2023-10-03…
Collect and Send S3 logs via Cribl to Splunk
Hello All, I'm new to Cribl and basically a Splunk Admin & developer. Been working on Cribl migration project for a while. My requirement is to collect data from a S3 bucket Via Cribl and apply some cool stuffs than send it to Splunk for indexing.Now, I have established the connection with my S3 bucket from Cribl stream.…
Handling the missing date_ fields for Splunk Enterprise Security
Splunk Enterprise Security… there's a lot of SPL out there that leverages the date_ fields that the TAs on splunk HFs create when parsing time. How is everyone dealing with lack of these fields, and aliasing to CIM etc by Splunk TAs when leveraging cribl stream?

Quick Links

Monthly Leaderboard